The Hostinger Breach and the Rise of API Threats
Hostinger, the web hosting platform, this week confirmed a breach involving an unauthorized third party gaining access to its internal system API. But it’s only the most recent API attack in a notable string of incidents.
API threats are on the rise with no end on the horizon. Akamai’s State of the Internet report (pdf) found “83% of all web traffic in 2018 was in API traffic.” Further, according to an earlier Gartner research report, APIs will be the “most frequently attacked vector for enterprise web application data breaches” by 2022.
“Cyberattacks and data breaches involving poorly protected application programming interfaces (APIs) are rapidly increasing, and there is not a singular plug-and-play solution to preventing such data breaches from happening,” said Chris Konrad, global director of security strategy at World Wide Technology.
An API attack can be devastating. Back in March, the LandMark White breach also sprang from an internal API attack and it led to massive repercussions. Major customers abandoned Australia’s largest independent property valuation and consultancy firm in droves, and executive heads rolled, including the CEO’s.
Another example of where API dangers lurk is found in a Facebook vulnerability.
“Facebook Marketplace was only showing the approximate location of sellers but this masking was only done by the web app. Someone invoking the API directly could get the exact location of that $5,000 sports bicycle that you put on sale without ever contacting you,” warned Dmitry Sotnikov, vice president of cloud platform at 42 Crunch.
Given that we now live in an API Economy, these threats can be anywhere.
“Tchap was a messaging app that the French government released for internal use. It was hailed as a more secure replacement for Telegram and WhatsApp. And ironically enough it indeed got hacked,” Sotnikov wrote in a newsletter to clients. “The attacker claimed that he did the hack within just one hour.”
API vulnerabilities are sometimes even intentional, or at least a pivotal element to an application’s functionality, unbeknownst to users who likely consider their information private and protected.
“Over the last several months, security researchers have demonstrated how the Venmo API will serve up millions of transactional records of users — information such as the source, destination, amount and message text are included. While this may appear to be a serious breach, it is actually the intended functionality of the Venmo platform,” explained Alex Heid, chief research officer at SecurityScorecard.
“Many users of Venmo do not realize that the platform was designed to merge the concepts of both social media and banking. As a result, Venmo settings make payments and messages between individuals public by default — and users have to change their settings to make information private. This is similar to many other social media platforms, but seems to have unintended consequences as consumers are not fully aware of all aspects of technologies before they make use of it,” Heid added.
Why APIs Are Under Attack
The important thing to remember, said Sotnikov, is “the data that the API returns is what matters.” The API is just another means to access data.
“Modern web frameworks like React and mobile applications are built around APIs to provide a better experience. It is common to deploy security products on the main consumer outlets – the website or specific applications – but attackers will always look for the path of least resistance, and in many cases, the APIs are exactly that. Remember, APIs are exposed to the entire internet and it is fairly easy to see which API calls are made by any website or mobile application,” said Amir Shaked, vice president of research and development at PerimeterX.
Despite the rising number of attacks, far too often APIs …